While improvements have been made in both areas, the Energy Department still has significant lapses in implementing key security procedures designed to block access to sensitive data by DoE workers who no longer have a “need to know” and by foreign nationals visiting department laboratories to collaborate on scientific research, according to recent reviews by DoE’s inspector general.
Inspector General Gregory Friedman also expressed concern that foreign researchers from “non-sensitive” countries–those generally seen as posing low security risks–are allowed to bring their laptop computers into one unidentified laboratory run by the National Nuclear Security Administration (NNSA), the semi-autonomous DoE agency that runs the department’s nuclear weapons complex. The IG said counterintelligence officials at the lab had expressed concern those foreigners could tap into the facility’s “intranet” without authorization and download data or probe for vulnerabilities in the network.
Friedman laid out his findings in two recent reports to Energy Secretary Samuel Bodman, one focusing on threats posed by foreign researchers and the other on the so-called “sensitive compartmented information access” (SCI) program run by DoE’s Office of Intelligence and Counterintelligence.
In a March 21 report, the inspector general said that, among other lapses, the intelligence office sometimes failed to revoke SCI access permission for DoE and contractor workers who no longer needed such access because they had changed assignments or left the department.
More specifically, the IG said that in reviewing 199 of the 969 workers at DoE headquarters who were on the SCI access roster, it found 17 who remained on that roster even though they had left the department or switched assignments and no longer needed access to sensitive data. One of the 17 remained on the SCI roster for about six years after he had left DoE–without the knowledge of the intelligence office, which was alerted to the situation by investigators with the IG.
Friedman said the intelligence office had improved SCI oversight since a previous IG review found problems with the program. But the IG said that in light of the latest lapses, “we concluded that [the intelligence office] did not have adequate internal controls over its SCI access program.”
On the issue of monitoring foreign researchers coming to DoE labs, Friedman sent a March 24 report to Bodman saying that officials at several department sites were unacceptably lax in overseeing such visits and assuring all security procedures were met.
Among other problems, he said some lab officials did not verify that foreign visitors had valid passports, visas and other immigration clearance, or did not ensure that counterintelligence reviews were conducted before foreign visitors were given access to sensitive information systems or data.
Friedman also said lab officials did not always cancel badges and take other action to terminate site access for foreign nationals once they completed their research–leading in one case to a startling breach of security at one unidentified facility.
“For example, at least one visitor accessed a laboratory using a valid identification badge on two occasions the month after his assignment had been revoked,” Friedman said in his report. “Site officials were unaware of the unauthorized access until we brought it to their attention.
“The unauthorized access is exacerbated by the fact that the same visitor’s background check had expired four months prior to the two unauthorized visits, which were made after the facility’s normal operating hours.
“Due to the fact that [the] foreign national maintained an active visit and security badge in laboratory systems, he was able to access the site without question,” Friedman continued.
“Neither the [lab official specifically in charge of monitoring the foreign visitor] nor other site officials could explain his purpose or whereabouts on the site. The situation could have been avoided had the visit been closed and site access terminated at the same time the assignment was revoked.”
The IG also said the failure to terminate site access for that foreign researcher was not an isolated occurrence. “We found…at one laboratory that 14 of the 27 foreign nationals selected for review [by the inspector general] no longer needed site access because the visit or [research] collaboration had been completed,” he said.
Friedman noted that a key DoE mission was to foster scientific research and development, and that many programs benefited from foreign collaboration. However, he said sensitive national security research increasingly depended on unclassified science and technology that might involve foreign researchers.
“While we recognize that documenting and tracking foreign national visitors and assignees requires additional attention and effort at the site level, the risk or damage to the nation’s security interests demand vigilance,” he said.
The IG said DoE had improved its oversight of foreign nationals since a past critical assessment done by his office. However, he said the problems discovered in his latest review “caused us to conclude that security risks associated with [foreign visitors to DoE facilities] remained higher than necessary.”
On the cyber-security issue identified at one NNSA lab, the inspector general said counterintelligence officials at the lab raised questions about allowing foreign nationals from non-sensitive countries to use their laptop computers in the lab.
“Both department and laboratory policy allows both U.S. citizens and non-sensitive country foreign nationals to bring their government, business or university laptop computers on to the site for unclassified, stand-alone use,” the IG said.
“Counterintelligence officials at the laboratory told us that they were concerned with the current practice because foreign nationals could connect their computer equipment to the laboratory’s Intranet without authorization. These connections pose a threat and could permit the foreign nationals to download large amounts of data, probe the network for vulnerabilities and implant malicious code.”
The IG recommended DoE restrict the connection of all computers not owned by the U.S. government to the laboratory’s network.